Costs of compliance
Clause 30 in the draft PDP 2019 Bill requires hiring a Data Protection Officer (DPO) for implementing grievance redressal mechanisms and for accountability during inquiries in case of non-compliance. There is no clarity about whether such a role can be outsourced to third parties who specialize in such compliance requirements. The European General Data Protection Rules (GDPR)1 has clear specifications about the DPO’s hiring, including no short-term or fixed term contract for the role. GDPR2 also specifies that organizations which have large-scale data processing or those which handle sensitive data must hire a DPO. Such specifications should be made clear in the PDP Bill too.
During Privacy Mode’s study on “Privacy Practices in the Indian tech ecosystem” 3 and during discussions at the Data Privacy Conference, representatives from the tech community felt that hiring specialized personnel such as legal and compliance teams, Chief Data Officer (CDO), Privacy Officer, etc is not only a matter of budgets. Such hiring also needs dedicated time and efforts on the part of the top management and leadership. Small and mid-sized organizations deal with this issue by assigning privacy and compliance roles to existing mid- and senior executives. These executives assume compliance roles in addition to handling other responsibilities, resulting in decision-making being split between implementing for privacy versus managing operational exigencies. For a smaller organization, especially a startup that is tapping an unexplored product market, product decisions are influenced more by go-to-market factors rather than by implementing privacy-respecting features. In such cases, Compliance Officers have no veto power on product decisions. In the “Privacy Practices in the tech ecosystem” research4, organizations across different sizes said they were either unaware of the CDO’s or the Compliance officer’s veto powers, or that the officer can veto product decisions when there are real data privacy concerns. Of the large organizations surveyed, only 52% respondents said that Compliance Officers can veto product decisions. Undoubtedly, operational imperatives win.
Clause 24 highlights that an integral process of data protection under PDP requires periodic reports to be submitted. Again, there is a lack of information regarding the intervals at which companies have to submit these reports. Clause 28 requires that periodic reports be sent to the DPA. This clause does not expand on the duration of the periodic intervals. Similarly, it is not clear what constitutes the correct format for such reports. Irrespective of ambiguity, it is also important to take into account that producing reports is a time-consuming process for businesses, especially if they have to either hire staff or invest in automating report generating capabilities. In addition to this, Clause 36 states that data protection will not be enforced with regards to legal cases of clients. Currently, there are over 4.4 crore pending cases in the country5. With such a precedent being allowed in terms of pure compliance, Data Fiduciaries (DF) cannot predict the mountain of data they may need to publish for such cases.
Clause 32 explains the grievance redressal mechanisms that DFs have to implement, and provides adequate resources for Data Principals to protect their data. However, there is no clarity on the processes that have to be implemented to enforce redressal mechanisms. This creates vagueness for stakeholders. A time frame of 30 days has been set for addressing grievances. But this time frame may not be adequate for stakeholders to adequately address grievances, likely leading to litigation. Organizations that do not have adequate manpower to address these concerns will be overburdened. A respondent in the discussion about the future of PDP in India at the Data Privacy Conference explained that startups don’t look at the problem of data governance from day one:
“For many startups, to think about compliance is like taking away 50% of their engineering bandwidth. Data governance as a concept in itself is a massive engineering, product and operational effort.”
Small and medium organizations do not have the organization structures or capabilities to set up specialized departments to handle risk and compliance. This, combined with their lack of training budgets for privacy and lack of standardized procedures to handle privacy concerns and risk, is a point of great concern that will have implications across the tech ecosystem. GDPR doesn’t define a specific time frame for responding to complaints 6. Instead, the law has a time range for handling grievances and complaints. GDPR also goes into details to explain what can be considered grievances7 under the law and mentions the period within which the Data Controller must issue petitions to the DPA. An additional complication in the draft PDP Bill is in Clause 36 which enforces that personal data protections are not subject to legal cases. This can lead to organizations being embroiled in more litigation.
Finally, Clause 53 focuses on the inquiry process when the DPA adjudicates that an organization has not complied with the PDP legislation. Since the DPA is the final authority for compliance, as mentioned in Clause 24, complexities will arise if the DPA also has the sole discretion to determine non-compliance too. The inquiry process not only holds everyone who works with the DPO accountable as part of the enquiry process; contractors will also be made party to these disputes and inquiry processes if they provided services to the DPO’s office. Given the risks of litigation, consultants and third-parties may either be disinclined to provide services or they may increase the costs of their services to include estimates of participating in the inquiry processes. This may require businesses to mass hire for compliance which they may not be able to afford (and the fact that the skill sets for such hiring may not even exist in the market in the initial years of compliance).
Clauses 58 to 61 highlight the financial costs of non-compliance, and explain the range of financial penalties for non-compliance for DFs. There are different ranges for DFs and SDFs. Here, the risk is that if the DPA classifies a small business as an SDF, the penalty amounts will increase, and add to the costs of operations for small businesses. Many small businesses may not be able to survive in the current climate.
We recommend that the above Clauses provide more clarity on the exact processes and nuances for personal data processing. Terminologies such as public interest need to be specified with adequate examples. Similarly, periodic intervals must be specified and must take into account the size of the organization, manpower and investment for such implementation.
The GDPR’s rules for DPO’s: https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en ↩
Helps us expand on the compliance variations based on the organization: https://www.compliancejunction.com/small-business-dpo-gdpr/ ↩
Privacy Mode’s study on Privacy Practices in the tech ecosystem is published at: https://hasgeek.com/PrivacyMode/privacy-in-indian-tech-2020/ ↩
The number of pending court cases have only gone up since the pandemic, going up by 19 percent since last year. https://timesofindia.indiatimes.com/india/pending-cases-in-india-cross-4-4-crore-up-19-since-last-year/articleshow/82088407.cms ↩
Refer to complaints handling process under GDPR: https://edps.europa.eu/data-protection/our-role-supervisor/complaints-handling-data-protection-notice_en ↩
Refer to complaints definition and processes under GDPR: https://edps.europa.eu/data-protection/our-role-supervisor/complaints_en ↩